There are four types of PPP interfaces:

  • Plain PPP for 3G/4G and modem devices

  • PPPoE for DSL or similar connections

  • PPTP and L2TP for ISPs that require them for authentication.

In most cases these are managed from the interface settings directly, but they can also be edited under Interfaces > Assignments on the PPPs tab.

See also

PPP Logs

PPP (Point-to-Point Protocol) Interface Types

Add or edit a PPP entry as follows:

  • Navigate to Interfaces > Assignments on the PPPs tab

  • Click fa-pencil to edit an existing entry or fa-plus to add a new entry

  • Set the Link Type

The Link Type determines the remaining options on the page. The available link types are explained throughout the remainder of this document.

PPP (3G/4G, Modem)

The PPP link type is used for talking to a modem over a serial device. This can be anything from a USB 3G/4G dongle for accessing a cellular network down to an old hardware modem for dial-up access.


Some cellular modems appear as Ethernet devices and not serial devices. Those are configured as regular interfaces, not as PPP devices.

When configuring a PPP device, the following options are available:

Link Interface

A list of serial devices that can be used to communicate with a modem. Click on a specific entry to select it for use.


The serial device for a modem is not automatically detected. Some modems present themselves as several devices, and the subdevice for the PPP line may be any of the available choices, but start with the last device, then try the first, and then others in between if none of those function.


A text description of this PPP instance, for reference (e.g. “VZW Modem”).


The country in which this system resides (e.g. United States).

Selecting a Country populates the Provider list.


The cellular service provider for this modem (e.g. Verizon).

Selecting a Provider populates the Plan list.


The type of cellular service this modem uses from Provider.

Selecting a Plan populates the remaining fields on the page with known values for that combination of Provider and Plan in that Country.

The remaining options can be configured manually if other values are needed, or when using an unlisted provider:

Username and Password

The credentials used for the PPP login, if any.

Phone Number

The number to dial at the ISP to gain access. For 3G/4G this tends to be a number such as *99# or #777, and for dial-up this is usually a traditional telephone phone number.

Access Point Name (APN)

This field is required by some ISPs to identify the service to which the client connects. Some providers use this to distinguish between consumer and business plans, or legacy networks.

APN Number

Optional setting. Defaults to 1 if the APN is set, and ignored when APN is unset.


Security code on the SIM to prevent unauthorized use of the card. Do not enter anything here if the SIM does not have a PIN.


Number of seconds to wait for SIM to discover network after the PIN is sent to the SIM. If the delay is not long enough, the SIM may not have time to initialize properly after unlocking.

Init String

The modem initialization string, if necessary. Do not include AT at the beginning of the command. Most modern modems do not require a custom initialization string.

Connection Timeout

Time to wait for a connection attempt to succeed, in seconds. Default is 45 seconds.

Uptime Logging

When checked, the uptime for the connection is tracked and displayed on Status > Interfaces.

PPPoE (Point-to-Point Protocol over Ethernet)

PPPoE is a popular method of authenticating and gaining access to an ISP network, most commonly found on DSL networks, but may also be used on fiber or other link types.


Due to limitations in the way PPPoE frames are processed by network cards, incoming PPPoE traffic is limited to a single network interface queue. As such, performance may be limited or otherwise lower than expected. See PPPoE with Multi-Queue NICs for details.

To configure a PPPoE link, start by setting Link Type to PPPoE and complete the remainder of the settings as follows:

Link Interface(s)

A list network interfaces that can be used for PPPoE. These are typically physical interfaces but it can also work over some other interface types such as VLANs. Select one for normal PPPoE, or multiple for MLPPP.


An optional text description of the PPP entry.

Username and Password

The credentials for this PPPoE circuit. These will be provided by the ISP, and the username is typically in the form of an e-mail address, such as mycompany@ispexample.com.

Service Name

Left blank for most ISPs, some require this to be set to a specific value. Contact the ISP to confirm the value if the connection does not function when left blank.

Configure NULL Service Name

Some ISPs require NULL be sent instead of a blank service name. Check this option when the ISP considers this behavior necessary.

Periodic Reset

Configures a pre-set time when the connection will be dropped and restarted. This is rarely needed, but in certain cases it can better handle reconnections when an ISP has forced daily reconnections or similar quirky behavior.

PPTP (Point-to-Point Tunneling Protocol)

Not to be confused with a PPTP VPN, this type of PPTP interface is meant to connect to an ISP and authenticate, much the same as PPPoE works. The options for a PPTP WAN are identical to the PPPoE options of the same name. Refer to the previous section for configuration information.

L2TP (Layer 2 Tunneling Protocol)

L2TP, as it is configured here, is used for connecting to an ISP that requires it for authentication as a type of WAN. L2TP works nearly identically to PPTP. Refer to the previous sections for configuration information.

L2TP has one additional option not found on other types:

Shared Secret

A shared secret used to authenticate the tunnel connection and encrypt control L2TP control packets. This must match the shared secret set on the L2TP server. May be left blank if the server does not support a shared secret.

Advanced PPP Options

All PPP types have several advanced options in common that can be edited in their entries here. In most cases these settings need not be altered. To show these options, click fa-cog Display Advanced.

Dial On Demand

The default behavior for a PPP link is to immediately connect and immediately attempt to reconnect when a link is lost. This behavior is described as Always On. Dial-on-Demand delays this connection attempt. When set, the firewall will wait until a packet attempts to leave the via this interface, and then it will connect. Once connected, it will not automatically disconnect.

Idle Timeout

A PPP connection will be held open indefinitely by default. A value in Idle Timeout, specified in seconds, will cause the firewall to monitor the line for activity. If there is no traffic on the link for the given amount of time, the link will be disconnected. If Dial-on-Demand has also been set, the firewall will return to dial-on-demand mode.


The firewall performs gateway monitoring by default which generates two ICMP pings per second on the interface. Idle Timeout will not function in this case. This can be worked around by editing the gateway for this PPP link, and checking Disable Gateway Monitoring.

Compression (vjcomp)

This option controls whether or not Van Jacobson TCP header compression will be used by this connection. By default it will be negotiated with the peer during login, so if both sides support the feature it will be used. Checking Disable vjcomp will cause the feature to always be disabled. Normally this feature is beneficial because it saves several bytes per TCP data packet, when possible. The option should almost always remain enabled.


This compression is ineffective for TCP connections with enabled modern extensions like time stamping or SACK, which modify TCP options between sequential packets.


The tcpmssfix option causes the PPP daemon to adjust incoming and outgoing TCP SYN segments so that the requested maximum segment size (MSS) is not greater than the amount allowed by the interface MTU. This is necessary in most cases to avoid problems caused by routers that drop ICMP “Datagram Too Big” messages. Without these messages, the originating machine sends data, it passes the rogue router then hits a machine that has an MTU that is not big enough for the data. Because the IP “Don’t Fragment” option is set, this machine sends an ICMP “Datagram Too Big” message back to the originator and drops the packet. The rogue router drops the ICMP message and the originator never gets to discover that it must reduce the fragment size or drop the IP Don’t Fragment option from its outgoing data. If this behavior is undesirable, check Disable tcpmssfix.


The MTU and MSS values for the interface may also be adjusted on the interface’s configuration page under the Interfaces menu, such as Interfaces > WAN (Interface Configuration).

Short Sequence (ShortSeq)

This option is only meaningful if MLPPP is negotiated with the provider. It proscribes shorter multi-link fragment headers, saving two bytes on every frame. It is not necessary to disable this for connections that are not multi-link. If MLPPP is active and this feature must be disabled, check Disable shortseq.

Address Control Field Compression (ACFComp)

This option only applies to asynchronous link types. It saves two bytes per frame. To disable this, check Disable ACF Compression.

Protocol Field Compression (ProtoComp)

This option saves one byte per frame for most frames. To disable this, check Disable Protocol Compression.

PPPoE has two additional advanced options:

Multilink over single link

When set, the firewall will use LCP multi-link extensions over a single link. This ignores the MTU/MRU settings. Only enable if supported by the ISP.

Force MTU

When set, overrides the MTU negotiated with the ISP with a higher value known to work on the link.


This option violates RFC 1661 and can break connectivity. While it may result in faster speed as larger packets can be transferred, there is no guarantee that it will function in the future if the provider makes changes.